feat: Add per AZ tags support for NAT Gateway, NAT EIP and private route table

aayushsrivastava · aayushsrivastava · commit 4ba8cee5e51c · 2025-08-19T15:08:54.000+05:30
diff --git a/README.md b/README.md
@@ -503,8 +503,10 @@ No modules.
 | <a name="input_map_public_ip_on_launch"></a> [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false` | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no |
 | <a name="input_nat_eip_tags"></a> [nat\_eip\_tags](#input\_nat\_eip\_tags) | Additional tags for the NAT EIP | `map(string)` | `{}` | no |
+| <a name="input_nat_eip_tags_per_az"></a> [nat\_eip\_tags\_per\_az](#input\_nat\_eip\_tags\_per\_az) | Additional tags for the NAT EIP where the primary key is the AZ | `map(map(string))` | `{}` | no |
 | <a name="input_nat_gateway_destination_cidr_block"></a> [nat\_gateway\_destination\_cidr\_block](#input\_nat\_gateway\_destination\_cidr\_block) | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_nat_gateway_tags"></a> [nat\_gateway\_tags](#input\_nat\_gateway\_tags) | Additional tags for the NAT gateways | `map(string)` | `{}` | no |
+| <a name="input_nat_gateway_tags_per_az"></a> [nat\_gateway\_tags\_per\_az](#input\_nat\_gateway\_tags\_per\_az) | Additional tags for the NAT gateways where the primary key is the AZ | `map(map(string))` | `{}` | no |
 | <a name="input_one_nat_gateway_per_az"></a> [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs` | `bool` | `false` | no |
 | <a name="input_outpost_acl_tags"></a> [outpost\_acl\_tags](#input\_outpost\_acl\_tags) | Additional tags for the outpost subnets network ACL | `map(string)` | `{}` | no |
 | <a name="input_outpost_arn"></a> [outpost\_arn](#input\_outpost\_arn) | ARN of Outpost you want to create a subnet in | `string` | `null` | no |
@@ -528,6 +530,7 @@ No modules.
 | <a name="input_private_inbound_acl_rules"></a> [private\_inbound\_acl\_rules](#input\_private\_inbound\_acl\_rules) | Private subnets inbound network ACLs | `list(map(string))` | <pre>[<br/>  {<br/>    "cidr_block": "0.0.0.0/0",<br/>    "from_port": 0,<br/>    "protocol": "-1",<br/>    "rule_action": "allow",<br/>    "rule_number": 100,<br/>    "to_port": 0<br/>  }<br/>]</pre> | no |
 | <a name="input_private_outbound_acl_rules"></a> [private\_outbound\_acl\_rules](#input\_private\_outbound\_acl\_rules) | Private subnets outbound network ACLs | `list(map(string))` | <pre>[<br/>  {<br/>    "cidr_block": "0.0.0.0/0",<br/>    "from_port": 0,<br/>    "protocol": "-1",<br/>    "rule_action": "allow",<br/>    "rule_number": 100,<br/>    "to_port": 0<br/>  }<br/>]</pre> | no |
 | <a name="input_private_route_table_tags"></a> [private\_route\_table\_tags](#input\_private\_route\_table\_tags) | Additional tags for the private route tables | `map(string)` | `{}` | no |
+| <a name="input_private_route_table_tags_per_az"></a> [private\_route\_table\_tags\_per\_az](#input\_private\_route\_table\_tags\_per\_az) | Additional tags for the private route tables where the primary key is the AZ | `map(map(string))` | `{}` | no |
 | <a name="input_private_subnet_assign_ipv6_address_on_creation"></a> [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
 | <a name="input_private_subnet_enable_dns64"></a> [private\_subnet\_enable\_dns64](#input\_private\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
 | <a name="input_private_subnet_enable_resource_name_dns_a_record_on_launch"></a> [private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
@@ -307,6 +307,7 @@ resource "aws_route_table" "private" {
     },
     var.tags,
     var.private_route_table_tags,
+    lookup(var.private_route_table_tags_per_az, element(var.azs, count.index), {})
   )
 }
 
@@ -1103,6 +1104,7 @@ resource "aws_eip" "nat" {
     },
     var.tags,
     var.nat_eip_tags,
+    lookup(var.nat_eip_tags_per_az, element(var.azs, count.index), {})
   )
 
   depends_on = [aws_internet_gateway.this]
@@ -1129,6 +1131,7 @@ resource "aws_nat_gateway" "this" {
     },
     var.tags,
     var.nat_gateway_tags,
+    lookup(var.nat_gateway_tags_per_az, element(var.azs, count.index), {})
   )
 
   depends_on = [aws_internet_gateway.this]
diff --git a/variables.tf b/variables.tf
@@ -408,6 +408,12 @@ variable "private_route_table_tags" {
   default     = {}
 }
 
+variable "private_route_table_tags_per_az" {
+  description = "Additional tags for the private route tables where the primary key is the AZ"
+  type        = map(map(string))
+  default     = {}
+}
+
 ################################################################################
 # Private Network ACLs
 ################################################################################
@@ -1252,12 +1258,24 @@ variable "nat_gateway_tags" {
   default     = {}
 }
 
+variable "nat_gateway_tags_per_az" {
+  description = "Additional tags for the NAT gateways where the primary key is the AZ"
+  type        = map(map(string))
+  default     = {}
+}
+
 variable "nat_eip_tags" {
   description = "Additional tags for the NAT EIP"
   type        = map(string)
   default     = {}
 }
 
+variable "nat_eip_tags_per_az" {
+  description = "Additional tags for the NAT EIP where the primary key is the AZ"
+  type        = map(map(string))
+  default     = {}
+}
+
 ################################################################################
 # Customer Gateways
 ################################################################################

Original file line number	Diff line number	Diff line change
`@@ -307,6 +307,7 @@ resource "aws_route_table" "private" {`
`307`	`307`	`},`
`308`	`308`	`var.tags,`
`309`	`309`	`var.private_route_table_tags,`
	`310`	`+ lookup(var.private_route_table_tags_per_az, element(var.azs, count.index), {})`
`310`	`311`	`)`
`311`	`312`	`}`
`312`	`313`
`@@ -1103,6 +1104,7 @@ resource "aws_eip" "nat" {`
`1103`	`1104`	`},`
`1104`	`1105`	`var.tags,`
`1105`	`1106`	`var.nat_eip_tags,`
	`1107`	`+ lookup(var.nat_eip_tags_per_az, element(var.azs, count.index), {})`
`1106`	`1108`	`)`
`1107`	`1109`
`1108`	`1110`	`depends_on = [aws_internet_gateway.this]`
`@@ -1129,6 +1131,7 @@ resource "aws_nat_gateway" "this" {`
`1129`	`1131`	`},`
`1130`	`1132`	`var.tags,`
`1131`	`1133`	`var.nat_gateway_tags,`
	`1134`	`+ lookup(var.nat_gateway_tags_per_az, element(var.azs, count.index), {})`
`1132`	`1135`	`)`
`1133`	`1136`
`1134`	`1137`	`depends_on = [aws_internet_gateway.this]`